Kirby 2.0.2

Oct 282014

After the release of 2.0.1 yesterday we didn't expect to be coming up with a new release within the next two weeks. Unfortunately we just got a report of a serious security issue, so we wanted to get a fix for this out to you as soon as possible.

With Kirby 2's new user roles it is possible to create frontend users, who have access to certain locked parts of your website (such as a client download area) but are not allowed to login to the panel to make changes to the website. You can find more in the docs about it here: http://getkirby.com/docs/panel/roles

Unfortuntaley there was a security hole in the panel which allowed logged in frontend users to manually modify the URL to get access to the panel. As this feature is brand new and your frontend users have to be logged in and know how to modify the URLs to get access, the chances are very low that this might affect your site.

It is still a serious issue and we recommend that you update your installation immediately — especially if you are working with frontend authentication.